Selected viruses, spyware, and other threats: sorted alphabetically
Aliases: W32.SQLExp.Worm, Worm.SQL.Helkern
The worm spreads on PCs running unpatched Microsoft SQL Servers only. It stores no data on the computer disk nor does it change any files therein. A system is attacked by UDP packet 376 bytes long received on port 1434 which is used by the SQL server. The packet exploits a buffer overflow for its activation. The worm on an infected system continually sends its body to the randomly generated IP addresses through UDP port 1434. As a result a big increase of the network traffic can be observed. The worm doesn't have any other destructive effects.
Detailed description of the exploited vulnerability can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp. The disinfection of an infected system can be performed by rebooting the computer followed by installation of the service pack (SP3) available
at: http://www.microsoft.com/sql/downloads/2000/sp3.asp. The patch can also be downloaded at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602.